Regulators warn banks: Beware ATM cyberattacks

Federal regulators have notified the nation’s banks of recent increases in cyberattacks on automatic teller machines and that banks could incur heavy losses as a result.

The warning, which was issued April 2 and made public on Thursday, said that one recent ATM attack “netted over $40 million in fraud using only 12 debit card accounts.”

“The members [regulators] are aware of a recent increase in cyberattacks launched in connection with this fraud, to gain access to, and alter the settings on, ATM Web-based control planes used by small-to-medium-size financial institutions,” said the bulletin from the Federal Financial Institutions Examination Council.

The attacks “may cause financial institutions to incur large dollars losses,” the bulletin continued. “Therefore, the members expect financial institutions to take steps to address this threat by reviewing the adequacy of their controls over their information technology networks, card issuer authorization systems, systems that manage ATM parameters, and fraud detection and response process.”

The attacks are known as Unlimited Operations, which the regulators described as “a category of ATM cash-out fraud where criminals are able to withdraw funds beyond the cash balance in customer accounts or beyond other control limits typically applied to ATM withdrawals.

“Criminals perpetrate the fraud by initiating cyberattacks to gain access to Web-based control panels, which enables them to withdraw customer funds from ATMs using stolen consumer debit, prepaid, or ATM account information.”

The bulletin went on to say that “criminals may begin the attack by sending phishing emails to employees of financial institutions as a means to install malicious software (malware) onto the institution’s network to determine how the institution access ATM control panels and obtain employee login credentials.

“These control panels, often Web-based, manage the amount of money customers may withdraw within a set time frame, the geographic limitations of withdrawals, the types of frequency [and] frequency of fraud reports.”

The bulletin did not offer any advice to consumers on how to avoid the fraud.